69 lines
1.7 KiB
Nix
69 lines
1.7 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
domain = "awesome.cache";
|
|
in
|
|
{
|
|
|
|
networking.extraHosts = ''
|
|
127.0.0.1 ${domain}
|
|
'';
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
proxyCachePath.nixos = {
|
|
enable = true;
|
|
inactive = "365d";
|
|
keysZoneSize = "100m";
|
|
keysZoneName = "nixos";
|
|
};
|
|
|
|
virtualHosts = {
|
|
${domain} = {
|
|
extraConfig = ''
|
|
proxy_cache nixos;
|
|
proxy_ignore_headers "Set-Cookie";
|
|
proxy_hide_header "Set-Cookie";
|
|
proxy_buffering on;
|
|
'';
|
|
locations."/" = {
|
|
recommendedProxySettings = false;
|
|
proxyPass = "https://cache.nixos.org";
|
|
extraConfig = ''
|
|
proxy_set_header Host "cache.nixos.org";
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
# most likely not needed
|
|
systemd.services.nginx.serviceConfig = {
|
|
RestrictNamespaces = lib.mkForce false;
|
|
ProtectSystem = lib.mkForce false;
|
|
ProtectControlGroups = lib.mkForce false;
|
|
ProtectHome = lib.mkForce false;
|
|
ProtectHostname = lib.mkForce false;
|
|
ProtectKernelLogs = lib.mkForce false;
|
|
ProtectKernelModules = lib.mkForce false;
|
|
ProtectKernelTunables = lib.mkForce false;
|
|
PrivateDevices = lib.mkForce false;
|
|
PrivateMounts = lib.mkForce false;
|
|
PrivateTmp = lib.mkForce false;
|
|
MemoryDenyWriteExecute = lib.mkForce false;
|
|
NoNewPrivileges = lib.mkForce false;
|
|
ProtectProc = lib.mkForce "default";
|
|
RestrictRealtime = lib.mkForce false;
|
|
RestrictSUIDSGID = lib.mkForce false;
|
|
};
|
|
|
|
#services.permown."/data" = {
|
|
# owner = "nginx";
|
|
#};
|
|
|
|
#systemd.services."permown./data" = {
|
|
# bindsTo = [ "nginx.service" ];
|
|
# after = [ "nginx.service" ];
|
|
#};
|
|
|
|
}
|